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===== Phrack Magazine presents Phrack 16 ===== 
===== File 1 of 12 : Phrack 16 Intro ===== 


Greetings, and welcome to Phrack #16, we are a bit late, 
then ever. I think you will find this issue very interesting. 


Enjoy and have Phun 


Elric of Imrryr - Editor 
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===== Phrack Magazine presents Phrack 16 ===== 


BELLCORE Information by The Mad Phone-man 


So, you’ve broken into the big phone box on the wall, and are looking at a 
bunch of tags with numbers and letters on them. Which one is the modem line? 
Which one is the 1-800 WATS line? Which one is the Alarm line? Bell has a 
specific set of codes that enable you to identify what you’re looking at. 

These are the same codes the installer gets from the wire center to enable him 
to set up the line, test it, and make sure it matches the customers order. 
Here are som xtracts from the Bellcore book. 


First lets take a hypothetical line number I’m familiar with: 
64FDDV 123456 


The serial number format: 


Prefix 4 service code + modifier + serial number + 
digits: 1,2 3,4 Bo. DES, 94 10: LA 2 continued 
Suffix + CO assigning circuit number + segment 
digits: 13,14,15 16,17,18,19 20,21,22 


The important shit is in the 3rd thru 6th digit. 


SERVICE CODES Intra or Inter LATA Block 1-26 


AA- Packet analog access line 


AB- Packet switch trunk 

AD- Attendant 

AF- Commercial audio fulltime 

AI- Automatic identified outward dialing 
AL- Alternate services 

AM- Packet, off-network access line 

AN- Announcement servic 

AO- International/Overseas audio (full time) 
AP- Commercial audio (part time) 

AT- International/Overseas audio (part time) 
AU- Autoscript 

BA- Protective alarm (CD) 

BL- Bell & lights 

BS- Siren control 

CA- SSN Access 

CB- OCC Audio facilities 

CC- OCC Digital facility-medium speed 

CE- SSN Station line 

CF- OCC Special facility 

CG- OCC Telegraph facility 

CH- OCC Digital facility high-speed 

CI- Concentrator Identifier trunk 

CJ- OCC Control facility 

CK- OCC Overseas connecting facility wide-band 
CL- Centrex CO line 

CM- OCC Video facility 

CN- SSN Network trunk 

CO- OCC Overseas connecting facility 

CP- Concentrator identifier signaling link 
CR- OCC Backup facility 

CS- Channel service 

CT- SSN Tie trunk 


CV- OCC Voice grade facility 
CW- OCC Wire pair facility 
CZ- OCC Access facility 
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DA- Digital data off-net extension 

DB- HSSDS 1.5 mb/s access line 

DF- HSSDS 1.5 mb/s hub to hub 

DG- HSSDS 1.5 mb/s hub to earth station 
DH- Digital service 
DI- Direct-in dial 
DJ- Digit trunk 
DK- Data link 

DL-— Dictation line 
D 

D 

D 

D 


O- Direct-out dial 

P— Digital data-2 4 kb/s 

Q- Digital data-4 8 kb/s 

R- Digital data-9.6 kb/s 

DW- Digital data-56 kb/s 

DY- Digital service (under 1 mb/s) 
EA- Switched access 

EB- ENFIA II end office trunk 

EC- ENFIA II tandem trunk 

EE- Combined access 

EF- Entrance facility-voice grade 

EG- Type #2 Telegraph 

EL- Emergency reporting line 
Emergency reporting center trunk 
Exchange network access facility 
- Entrance facility-program grade 
Equipment only-(network only) assignment 
Extension service-voice grad 
Entrance facility-telegraph grade 
Extension service-telegraph grade 
Enhanced Emergency reporting trunk 
Off network MTS/WATS equivalent service 
— Private line-data 

FG- Group-supergroup spectrum 

FR- Fire dispatch 

FT- Foreign exchange trunk 

FW- Wideband channel 

FV- Voice grade facility 

FX- Foreign exchange 

HP- Non-DDS Digital data 2.4 kb/s 

HQ- Non-DDS Digital data 4.8 kb/s 

HR- Non-DDS Digital data 9.6 kb/s 

HW- Non-DDS Digital data 56 kb/s 

IT- Intertandem tie trunk 


3 6 


AE 


es ee iF NOWBAZE 


re 


AA- Local area data channel 

LL- Long distance terminal line 
1S- Local service 

LT- Long distance terminal trunk 


MA- Cellular access trunk 2-way 

MT- Wired music 

NA- CSACC link (EPSCS) 

NC- CNCC link (EPSCS) 

ND- Network data line 

OI- Off premises intercommunication station line 
ON- Off network access line 

OP- Off premises extension 

OS- Off premises PBX station line 
PA- Protective alarm (AC) 

PC- Switched digital-access line 

PG- Paging 

PL- Private line-voice 

PM— Protective monitoring 

PR- Protective relaying-voice grade 
PS- MSC constructed spare facility 
PV- Protective relaying-telegraph grade 
PW- Protective relaying-signal grade 
PX- PBX station line 

PZ- MSC constructed circuit 

QU- Packet asynchronous access line 


[7] 
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Qs- 
RA 


Packet synchronous access line 


RT- 
SA- 


Remote attendant 

Radio landline 

Satellite trunk 

Control/Remote metering signal grade 
Secretarial line 

Sampling 
Special access termination 
Equipment only-customer premises 
Dataphone select-a-station 


andem tie-trunk 

Control/Remote metering-telegraph grade 
Telephoto/Facsimile 

Local PBX trunk 


Non-tandem tie trunk 


urret or automatic call distributor (ACD) 


letypewriter channel 


urret or automatic call distributor (ACD) 
Dedicated facility 
Commercial television (full time) 
Commercial television (part time) 
Control/Remote metering-voice grad 
International overseas television 
Non-commercial television (7003,7004) 
Special 800 surface trunk 

Special WATS trunk (OUT) 

800 surface trunk 

WATS line (OUT) 

WATS trunk (OUT) 

800 service line 

WATS trunk (2-way) 

WATS line (2-way) 

Alarm circuits 


Call and talk circuits 


Emergency patching circuits 


Order circuits, facility 

Measurement and recording circuits 

Test circuit, plant service center 
Quality and management circuits 
Switching, control and transfer circuits 
Test circuits, central office 

Order circuits, service 


SERVICE CODES FOR LATA ACCESS 


trunk 


line 


HC 
HD 
HE 


High capacity 1.544 mb/ps 
High capacity 3.152 mb/ps 
High capacity 6.312 mb/ps 
High capacity 6.312 

High capacity 274.176 mb/s 
High capacity subrate 
Voice-non switched line 
Voice-switched line 
Voice-switched trunk 


Voice and tone-radio landline 


Data low-speed 

Basic data 

Voice and data-PSN access trunk 

Voice and data SSN access 

Voice and data-SSN-intermachine trunk 
Data extension, voice grade data facility 
Telephoto/Facsimile 


Voice grade customized 
Protection relay-voice grad 
Dedicated facility 

Metallic customized 
Telegraph customized 
Protection alarm-metallic 
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NU- Protection alarm 

NV- Protective relaying/Telegraph grade 
NW- Telegraph grade facility-75 baud 
NY- Telegraph grade facility- 150 baud 
E- Program audio, 200-3500 hz 

F- Program audio, 100-5000 hz 

J- Program audio, 50-8000 hz 

K- Program audio, 50-15000 hz 

Q- Program grade customized 

B- Switched access-standard 
D 


— Switched access-improved 

SE- Special access WATS-access-std 
SF- Special access WATS access line improved 
SJ- Limited switched access line 
TQ- Television grade customized 

V- TV Channel one way 15khz audio 
[W- TV Channel one way 5khz audio 
WB- Wideband digital, 19.2 kb/s 
WE- Wideband digital, 50 kb/s 

WF- Wideband digital, 230.4 kb/s 
WH- Wideband digital, 56 kb/s 

WJ- Wideband analog, 60-108 khz 

L ideband analog 312-552 khz 
WN- Wideband analog 10hz-20 khz 
WP- Wideband analog, 29-44 khz 

WR- Wideband analog 564-3064 khz 
XA- Dedicated digital, 2.4 kb/s 
XB- Dedicated digital, 4.8 kb/s 
XG- Dedicated digital, 9.6 kb/s 
XH- Dedicated digital 56. kb/s 


| 
4 


Now the last two positions of real importance, 5 & 6 translate thusly: 


Modifier Character Position 5 


INTRASTATE INTERSTATE 
A B Alternate data & non data 
Cc Customer controlled service 
D E Data 
N L Non-data operation 
P Only offered under intra restructured 
private line (RPL) tariff 
S T Simultaneous data & non-data 
F Interexchange carriers is less than 50% 
G Interstate carrier is more than 50% 
usage 
MODIFIER CHARACTER POSITION 6 
TYPE OF SERVICE Intra LATA 
ALL EXCEPT US GOVT US GOVERNMENT 
T M Circuit is BOC customer to BOC customer 


all facilities are TELCO provided 
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C P Circuit is BOC/BOC and part of 
facilities or equipment is telco 
provided 

A J Circuit is BOC/BOC all electrically 


connected equip is customer provided 


L F Circuit terminates at interexchange 
carrier customers location 


Z Official company service 


Interlata 
S S Circuit terminates at interexchange 
carriers point of term (POT) 


V V Circuit terminates at an interface of a 
radio common carrier (RCC) 


Z Official company service 
Corridor 
Y X Corridor circuit 
International 
K H Circuit has at least 2 terminations in 


different countries 


Interexchange carrier 
Y Xx Transport circuit between interexchange 
carrier terminals. 


So 64FDDV would be a private line data circuit terminating at a radiocommon 
carrier. Other examples can be decoded likewis 


Enjoy this information as much as I’ve had finding it. 


-= The Mad Phone-man =-— 
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===== Phrack Magazine presents Phrack 16 ===== 


===> Cosmos Kid Presents... ===> 
=== A Hacker’s Guide To: PRIMOS ===> 
===> Part I ===> 

== (c) 1987 by Cosmos Kid ==== 


Author’s Note: 


This file is the first of two files dealing with PRIMOS and its operations. 
The next file will be in circulation soon so be sure to check it out at any 
good BBS. 


Preface: 

This file is written in a form to teach beginners as well as experienced 
Primos users about the system. It is written primarily for beginners however. 
PRIMOS, contrary to popular belief can be a very powerful system if used 
correctly. I have outlined some VERY BASIC commands and their use in this 
file along with some extra commands, not so BASIC. 


Logging On To A PRIMOS: 


A PRIMOS system is best recognized by its unusual prompts. These are: ’OK’, 
and ’ER!’. Once connected, these are not the prompts you get. The System 
should identify itself with a login such as: 


Primenet V2.3 
-or- 
Primecom Network 


The system then xpects some input from you,preferably: LOGIN. You will 
then be asked to enter your user identification and password as a security 


measure. The login onto a PRIMOS is as follows: 
CONNECT 

Primenet V 2.3 (system) 

LOGIN<CR> (you) 

User id? (system) 

AA1234 (you) 

Password? (system) 

KILLME (you) 

OK, (system) 


Preceding the OK, will be the systems opening message. Note that if you fail 
to type login once connected, most other commands are ignored and the system 
responds with: 


Please Login 
ER! 


Logging Off Of A PRIMOS: 


If at any time you get bored with Primos, just type ’LOGOFF’ to leave the 
system. Some systems have a TIMEOUT feature implemented meaning that if you 
fail to type anything for the specified amount of time the system will 
automatically log you out, telling you something like: 


Maximum Inactive Time Limit Exceeded 
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System Prompts: 


As stated previously, the prompts ’ER!’ and ’OK,’ are used on Primos. The 
‘OK,’ denotes that last command was executed properly and it is now waiting 
for your next command. The ’ER!’ prompt denotes that you made an error in 


typing your 
message. 


last command. This prompt is usually preceded by an error 


Special Characters: 


Some terminals have certain characteristics that are built in to the terminal. 


key 


CONTROL-H 
Deletes the 


last character typed. 


Other Special Characters: 


RETURN: The return key signals PRIMOS that you have completed typing a 
command and that you are ready for PRIMOS to process the command. 


BREAK/CONTROL-P: Stops whatever is currently being processed in memory and 


will return PRIMOS to your control. To restart a process, 


type: 
START (abbreviated with S). 


CONTROL-S: Stops the scrolling of the output on your terminal for viewing. 


CONTROL-Q: Resumes the output scrolling on your terminal for inspection. 


SEMICOLON ';’: The logical end of line character. The semicolon is used to 


enter more than one command on one line. 


Getting Help: 


K 
fe) 
tar 
e) 
ie}) 


~ 


ne 


iles. This 


= 


hese topics 


Un t H'O t me: ct 


he HELP sub-system and will display an informative page of text. 
age displayed will provide you with a list of topics and their keywords. 


n get on-line information about the available PRIMOS commands by using 
HELP’ command. The HELP system is keyword driven. That is, all 
nformation is stored under keywords that indicate the content of the help 


is similar to VAX. Entering the single command /’/HELP’ will enter 
The next 


include such items as PRIME, RAP, MAIL, and DOC. If you entered 


he MAIL keyword, you would be given information concerning the mail sub- 


7 


ystem available to users on P simply enter PRIME to obtain information on all 
RIMOS commands. You could then enter COPY to obtain information on that 


specific topic. 


Files And Directories: 


The name of a file or sub-directory may have up to 32 characters. The 


filename may 


contain any of the following characters, with the only 


restriction being that the first character of the filename may not be a digit. 
Please note that BLANK spaces are NOT allowed ANYWHERE: 


SEB) slat, alphabet 
SO 5 fathbies numeric digits 


es pound sign 
$Rares dollar sign 


A 
0 
a eons ampersand 
# 
$ 


He oitie dash/minus sign 
BO kbs asterisk/star 
- ~baghes period/dot 
foe tia ghss slash/divide sign 
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Naming Conventions: 


There are very few restrictions on the name that you may give a file. 
However, you should note that many of the compilers (language processors) and 
commands on the PRIME will make certain assumptions if you follow certain 
guidelines. File name suffixes help to identify the file contents with regard 
to the language the source code was written in and the contents of the file. 
For instance, if you wrote a PL/1 program and named the file containing the 
source code ’PROG1.PL1’ (SEGmented loader) would take the binary file, link 
all the binary libraries that you specify and produce a file named 
'PROG1.SEG’, which would contain the binary code necessary to execute the 
program. Some common filename suffixes are: F77, PAS, COBOL, PL1G, BASIC, 
FTN, CC, SPIT (source files). These all denot separate languages and get 
into more advanced programming on PRIMOS. (e.g. FTN=Fortran). 


BIN=the binary code produced by the compiler 
LIST=the program listing produced by the compiler 
SEG=the linked binary code produced by SEG 


Some files which do not use standard suffixes may instead use the filenam 
prefixes to identify the contents of the file. Some common filename prefixes 
are: 


B Binary code produced by the compiler 
L source program Listing 

Command files 

Temporary work files (e.g. T$0000) 
Seg files 


+ Ur C) 


Commands For File Handling: 


PRIMOS has several commands to control and access files and file contents. 
These commands can be used to list the contents of files and directories, and 
to copy, add, delete, edit, and print the contents of files. The capitalized 
letters of each are deleted. A LIST must be enclosed in parenthesis. 


Close arg ....-Closes the file specified by ’arg’. ‘Arg’ could also be 
a list of PRIMOS file unit numbers, or the word ’ALL’ which 
closes all open files and units. 


LIMITS ....Displays information about the login account, including 
information about resources allocated and used, grantor, and 
expiration date. 


Edit Access ....Edits the Access rights for the named directories and 
files. 
CName argl arg2 ....Changes the Name of ’argl’ to ’arg2’. The arguments can 


be files or directories. 


LD ....The List Directory command has several arguments that 
allow for controlled listing format and selection of entries. 


Attach arg ....-allows you to Attach to the directory ’arg’ with the 
access rights specified in the directory Access Control List. 


DOWN <arg> ....allows you to go ’DOWN into’ a sub-ufd (directory). You 
can specify which one of several sub-ufds to descend into 
with the optional ‘’arg’. 


UP <arg> ....allows you to go ’UP into’ a higher ufd (directory). You 
can specify which one of several to climb into with the 
optional ‘arg’. 


WHERE ....Displays what the current directory attach point is and 
your access rights. 
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CREATE arg ....CREATES a new sub-directory as specified by ’arg’. 


COPY argl arg2 ....COPIES the file or directory specified by ’argl’ into a 
file by the same name specified by ’arg2’. Both ’argl’ and 
‘arg2’ can be filename with the SPOOL command, whose format 
is: 


SPOOL filename -AT destination 

where filename is the name of the file you want printed, and 
destination is the name of the printer where you want the 
file printed. For example if you want the file ’HACK.FTN’ 
printed at the destination ’LIB’ type: 


SPOOL HACK.FTN -AT LIB 


PRIMOS then gives you some information telling you that the file named was 
SPOOLed and the length of the file in PRIMOS records. To s th ntries in 
the SPOOL queue, type: 


SPOOL -LIST 


PRIMOS then lists out all the files waiting to be printed on the printers on 
your login system. Also included in this information will be the filename of 
the files waiting to print, the login account name of the user who SPOOLed the 
file, the time that the file was SPOOLed, the size of the file in PRIMOS 
records, and the printer name where the file is to print. 


Changing The Password Of An Account: 


If you wish to change the password to your newly acquired account you must use 
the ‘CPW’ command (Change PassWord). To do this enter the current password on 
the command line followed by RETURN. PRIMOS will then prompt you for your 
desired NEW password and then ask you to confirm your NEW password. To change 
your password of ’JOE’ to '’SCHMOE’ then type: 


OK, (system) 
CPW JOE (you) 
New Password? (system) 


You can save a copy of your terminal session by using the COMO (COMmand 
Output) command. When you type: 


COMO filename 


Everything which is typed or displayed on your terminal is saved (recorded) 
into the filename on the command line (filename). If a file by the same name 
exists, then that file will be REPLACED with NO WARNING GIVEN! When you have 
finished doing whatever it was you wanted a hardcopy of, you type: 


COMO -End 


which will stop recording your session and will close the COMO file. You can 
now print the COMO file using the SPOOL command as stated earlier. 


Conclusion: 

This concludes this first file on PRIMOS. Pleas remember this file is 

written primarily for beginners, and some of the text may have seemed BORING! 
However, this filewaswrittenin a verbose fashion to FULLYINTRODUCEPRIMOS 

to beginners. Part II will deal with more the several languages on PRIMOS and 
some other commands. 


Author’s Endnote: 


I would like to thank the following people for the help in writing this file: 
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AMAD 
The 


EUS (an oldie who is LONG GONE!) 


University Of Kentucky 


State University Of New York (SUNY) Primenet 


And countless others..... 


Questions, threats, or suggestions to direct towards me, 
of the following: 


The Freeworld ][......... 301-668-7657 
Digital DOGiGs tei cmeteees 305-395-6906 
The Executive: Intes.. ess % 915-581-5146 
OSUNY “BB S:ie-d-6 si aitas 48 eicehs, eae ks 914-725-4060 


-=*< Cosmos Kid >*=-— 


I can be found on any 
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===== Phrack Magazine presents Phrack 16 ===== 


Hacking the Global Telecommunications Network 
Researched and written by: The Kurgan 
Compiled on 10/5/87 


Network Procedure Differences 


The Global Telecommunications Network (GIN) is Citibanks’s international data 
network, which allows Citicorp customers and personnel to access Citibank’s 
worldwide computerized services. 


Two different sign on procedures exist: Type A and Type B. All users, except 
some in the U.S., must use Type B. (U.S. users: the number you dial into 
and the Welcome Banner you receive determin what sign-on procedure to 
follow.) Welcome banners are as follows: 

YPE A: 
WELCOME TO CITIBANK. PLEASE SIGN ON. 

XXXXXXXX 

@ 

PASSWORD = 

@ 

TYPE B: 

PLEASE ENTER YOUR ID:-1-> 

PLEASE ENTER YOUR PASSWORD :-2-> 

CITICORP (CITY NAME). KEY GHELP FOR HELP. 

XXX. XXX 
PLEASE SELECT SERVICE REQUIRED.-3-> 


Type A User Commands 


User commands are either instructions or information you send to the network 
for it to follow. The commands available are listed below. 


User Action: Purpose: 


@ (CR) To put you in command mode (mode in which you can put 
your currently active service on hold and ask the network 


for information, or log-off the service). (NOTE: This 
symbol also serves as the network prompt; see Type A 
messages.) 


BYE (CR) To leave service from command mode. 


Continue (CR) To return to application from command mode (off hold) 


D (CR) To leave service from command mode. 

ID To be recognized as a user by the network (beginning of 
sign on procedure), type ID, then a space and your 
assigned network ID. (Usually 5 or 6 characters long) 

Status (CR) To see a listing of network address (only from @ 
prompt). You need this address when "reporting a 
problem." 


Type A messages 


The network displays a variety of messages on your screen which either requir 
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a user command or provide you with information. 


Screen shows: Explanation: 


@ Network prompt -- request for Network ID. 


BAD PASSWORD Network does not except your password. 


<address> BUSY 


WELCOME TO CITIBANK. 
PLEASE SIGN ON. 
XXX. XXX 


Lt] 


<address> ILLEGAL 


<address> CONNECTED 


DISCONNECTED 


NOT CONNECTED 


NUI REQUIRED 


PASSWORD = 


STILL CONNECTED 


The address is busy, try back later. 


Network welcome banner. Second line provides address 
# to be used when reporting "problems." 


You typed in an address that doesn’t exist. 

Your connection has been established. 

Your connect has been disconnected. 

You’ re not connected to any service at the time. 


Enter your network user ID. 


Request for your assigned password. 
You are still connected to the service you were using. 


Network doesn’t understand your entry. 


Type B User Commands and Messages 


Since the Type B procedure is used with GIN dial-ups, it requires fewer 
commands to control the network. There is only 1 Type B command. Break plus 
(CR) allows you to retain connection to one service, and connect with another. 


Screen Shows: Explanation: 


CITICORP (CITY NAME). 
PLEASE SELECT SERVIC! 


[7] 


COM Connection made. 


vailable. 


ow 


ERR Error in servic 


Network Welcome banner. Type in service address. 


DER The port is closed out of order, or no open routes are 


DISCONNECTED You have disconnected from the service and the network. 


selected. 


INV Error in system. 


MOM Wait, the connection is being made. 


NA Not authorized for this service. 
NC Circuits busy, try again. 

NP Check service address. 

OCE Service busy, try again. 


Sign-on Procedures: 
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There are two types of sign on procedures. Type A and Type B. 


Type A: 


[To log onto a system with type A logon procedure, th asiest way is through 
Telenet. Dial your local Telenet port. When you receive the "@" prompt, type 
in the Type-A service address (found later in the article) then follow the 
instructions from there on. 


Type-B: 
Dial the your GTN telephone #, then hit return twice. You will then see: 


"PLEASE ENTER YOUR ID:-1->" 


Type in a network ID number and hit return. 


You will then see 


"PLEASE ENTER YOUR PASSWORD:-2->" 


Type in Network Password and hit return. 


Finally you will see the "CITICORP (city name)" welcome banner, and it 
will ask you to select the service you wish to log onto. Type the address and 
hit return. (A list of addresses will be provided later) 


Trouble Shooting: 


If you should run into any problems, the Citicorp personnel will gladly 
help their "employees" with any questions. Just pretend you work for Citibank 
and they will give you a lot. This has been tried and tested. Many times, 
when you attempt to log on to a system and you make a mistake with the 
password, the system will give you a number to call for help. Call it and 
tell them that you forgot your pass or something. It usually works, since 
they don’t expect people to be lying to them. If you have any questions about 
the network itself, call 305-975-5223. It is the Technical Operations Center 
(TOC) in Pompano, Florida. 


Dial-Ups: 

The following list of dial-ups is for North America. I have a list of 
others, but I don’t think that they would be required by anyone. Remember: 
Dial-ups require Type-B log-on procedure. Type-A is available on systems 


accessible through Telenet. 


Canada Toronto 416-947-2992 (1200 Baud V.22 Modem Standard) 
U.S.A. Los Angeles 213-629-4025 (300/1200 Baud U.S.A. Modem Standard) 
Jersey City 201-798-8500 
New York City 212-269-1274 
212-809-1164 


Service Addresses: 


The following is a VERY short list of just some of the 100’s of service 


addresses. Ina later issue I will publish a complete list. 
Application Name: Type-A Type-B 
CITIADVICE 2240001600 CADV 


CITIBANKING ATHENS 2240004000 :30 
CITIBANKING PARIS 2240003300 :33 
CITIBANKING TOKYO 2240008100 :81 
CITICASH MANAGER 
INTERNATIONAL 1 (NAFG CORP) 2240001200 CCM1 
INTERNATIONAL 7 (DFI/WELLS FARGO) 2240013700 CCM7 
COMPMARK ON-LINE 2240002000 CS4 
ECONOMIC WEEK ON-LINE 2240011100 FAME1 
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INFOPOOL/INFOTEXT 2240003800 IP 


EXAMPLE OF LOGON PROCEDURE: 


THE FOLLOWING IS THE BUFFERED TEXT OF A LOG-ON TO CITIBANKING PARIS THROUGH 
TELENET. 


CONNECT 1200 
TELENET 
216 13.41 


ERMINAL=VT100 


@2240003300 


223 90331E CONNECTED 


ENTER TYPE NUMBER OR RETURN 
YPE B IS BEEHIVE DM20 

YPE 1 IS DEC VT100 

TYPE A IS DEC VT100 ADV VIDEO 
TYPE 5 IS DEC VT52 

[TYPE C IS CIFER 2684 

YPE 3 IS LSI ADM 3A 

TYPE L IS LSI ADM 31 

YPE I IS IBM 3101 

YPE H IS HP 2621 

YPE P IS PERKIN ELMER 1200 
YPE K IS PRINTER KEYBOARD 

YPE M IS MAI BASIC 4 

YPE T IS TELEVIDEO 9XX 

[TYPE V IS VOLKER CRAIG 4404 
YPE S IS SORD MICRO WITH CBMP 
RELEASE BSC9.5 -— O6JUN85 

FOR 300 BAUD KEY ! AND CARRIAGE RETURN 
CONFIG. K1.1—-I11H-R-C-B128 
ENTER TYPE NUMBER OR RETURN K 


CONNECTED TO CITIBANK PARIS - CBP1l ,PORT 5 


Have fun with this info, and remember, technology will rule in the end. 
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===== Phrack Magazine presents Phrack 16 ===== 


The Laws Governing Credit Card Fraud 


Written by Tom Brokaw 
September 19, 1987 


Written exclusively for: 
Phrack Magazine | 


(A Tom Brokaw/Disk Jockey Law File Production) 


Introduction: 


In this article, I will try to explain the laws concerning the illegal 
use of credit cards. Explained will be the Michigan legislative view on the 
misuse and definition of credit cards. 


Definition: 


Well, Michigan Law section 157, defines a credit card as "Any instrument 
or device which is sold, issued or otherwise distributed by a business 
organization identified thereon for obtaining goods, property, services or 
anything of value." A credit card holder is defined as: 1) "The person or 
organization who requests a credit card and to whom or for whose benefit a 
credit card is subsequently issued" or 2) "The person or organization to whom 
a credit card was issued and who uses a credit card whether the issuance of 
the credit card was requested or not." In other words, if the company or 
individual is issued a card, once using it, they automatically agree to all 
the laws and conditions that bind it. 


Stealing, Removing, Retaining or Concealment: 


Michigan Law states, that it is illegal to "steal, knowingly take or 
remove a credit card from a card holder." It also states that it is wrongful 
to "conceal a credit card without the consent of the card holder." Notice 
that it doesn’t say anything about carbons or numbers acquired from BBSes, 
but I think that it could be considered part of the laws governing the access 
of a persons account without the knowledge of the cardholder, as described 
above. 


Possession with Intent to Circulate or Sell 


The law states that it is illegal to possess or have under one’s control, 
or receive a credit card if his intent is to circulate or sell the card. It 
is also illegal to deliver, circulate or sell a credit card, knowing that such 
a possession, control or receipt without the cardholders consent, shall be 
guilty of a FELONY. Notice again, they say nothing about possession of 
carbons or numbers directly. It also does not clearly state what circulation 
or possession is, so we can only stipulate. All it says is that possession of 
a card (material plastic) is illegal. 


Fraud, forgery, material alteration, counterfeiting. 


However, it might not be clearly illegal to possess a carbon or CC 
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number. It IS illegal to defraud a credit card holder. Michigan law states 
that any person who, with intent to defraud, forge, materially alter or 
counterfeit a credit card, shall be guilty of a felony. 


Revoked or cancelled card, use with intent to defraud. 


This states that "Any person who knowingly and with intent to defraud for 
the purpose of obtaining goods, property or services or anything of value ona 
credit card which has been revoked or cancelled or reported stolen by the 
issuer or issuee, has been notified of the cancellation by registered or 
certified mail or by another personal service shall be fined not more than 
$1,000 and not imprisoned not more than a year, or both. However, it does not 
clearly say if it is a felony or misdemeanor or civil infraction. My guess is 
that it would be dependant on the amount and means that you used and received 
when you defraud the company. Usually, if it is under $100, it isa 
misdemeanor but if it is over $100, it is a felony. I guess they figure that 
you should know these things. 


The People of The State of Michigan vs. Anderson (possession) 


On April 4, 1980, H. Anderson attempted to purchase a pair of pants at 
Danny’s Fashion Shops, in the Detroit area. He went up to the cashier to pay 
for the pants and the cashier asked him if he had permission to use the credit 
card. He said "No, I won it last night in a card game". The guy said that I 
could purchase $50 dollars worth of goods to pay back the debt. At the same 
time, he presumed the card to be a valid one and not stolen. Well, as it 
turned out it was stolen but he had no knowledge of this. Later, he went to 
court and pleased guilty of attempted possession of a credit card of another 
with intent or circulate or sell the same. At the guilty hearings, Mr. 
Anderson stated that the credit card that he attempted to use had been 
acquired by him in payment of a gambling debt and assumed that the person was 
the owner. The trial court accepted his plea of guilty. At the sentencing, 
Mr. Anderson, denied that he had any criminal intent. Anderson appealed the 
decision stating that the court had erred by accepting his plea of guilty on 
the basis of insufficient factual data. Therefore, the trial court should not 
have convicted him of attempted possession and reversed the charges. 


The People of the State of Michigan vs. Willie Dockery 


On June 23, 1977, Willie Dockery attempted to purchase gas at a Sears gas 
station by using a stolen credit card. The attendant noticed that his 
driver’s license picture was pasted on and notified the police. Dockery 
stated that he had found the credit card and the license at an intersection, 
in the city of Flint. He admitted that he knowingly used the credit card and 
driver’s license without the consent of the owner but he said that he only had 
purchased gasoline on the card. It turns out that the credit card and 
driver’s license was stolen from a man, whose grocery store had been robbed. 
Dockery said that he had no knowledge of the robbery and previous charges on 
the cardwhich totalled$1,373.21. He admitted that he did paste his picture 


on the driver’s license. Butagain the court screws up, they receiv videnc 
that the defendant had a record of felonies dating back to when he was sixteen 
and then assumed that he was guilty on the basis of his prior offenses. The 


judge later said that the present sentence could not stand in this court so 
the case was referred to another court. 


Conclusion 


I hope that I have given you a better understanding about the law, that 
considers the illegal aspects of using credit cards. All this information was 
taken from The Michigan Compiled Laws Annotated Volume 754.157a-s and from The 
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In my next file I will talk about the laws concerning Check Fraud. 


-Tom Brokaw 
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===== Phrack Magazine presents Phrack 16 ===== 
===== File 6 of 12 ===== 
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* * 
a Tapping Telephone Lines mS 
* * 
* Voice or Data * 

* * 
* For Phun, Money, and Passwords e 

* * 
* Or How to Go to Jail for a Long Time. x 
* * 
KKKKKKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKKKKKKK 


Written by Agent Steal 08/87 


Included in this file is... 


* Equipment needed 
* Where to buy it 
* How to connect it 


* How to read recorded data 


But wait!!! There’s more!! 
* How I found a Tymnet node 


* How I got in 


KKKKKKKKKKKKK 


THE EQUIPMENT 


KKKKKKKKKKKKK 


First thing you need is an audio tape recorder. What you will be 
recording, whether it be voice or data, will be in an analog audio format. 
>From now on, most references will be towards data recording. Most standard 
cassette recorders will work just fine. However, you are limited to 1 hour 
recording time per side. This can present a problem in some situations. A 
reel to reel can also be used. The limitations here are size and availability 
of A.C. Also, some reel to reels lack a remote jack that will be used to 
start and stop the recorder while th line is being used. This may not 
present a problem. More later. The two types of recorders I would advise 
staying away from (for data) are the micro cassette recorders and the standard 
cassette recorders that have been modified for 8 to 10 hour record time. The 
speed of these units is too unstable. The next item you need, oddly enough, 
is sold by Radio Shack under th name "Telephon recording control" part 
# 43-236 $24.95. See page 153 of the 1987 Radio Shack catalog. 


KKKKKKKKKKKKKKKKK 


HOW TO CONNECT IT 


KKKKKKKKKKKKKKKKK 


The Telephone recording control (TRC) has 3 wires coming out of it. 


1 Telco wire with modular jack. Cut this and replace with alligator clips. 


2 Audio wire with miniature phone jack (not telephone). This plugs 
into the microphone level input jack of the tape recorder. 
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#3 Audio wire with sub miniature phone jack. This plugs into the "REM" 
or remote control jack of the tape recorder. 


Now all you need to do is find the telephone line, connect the alligator 
clips, turn the recorder on, and come back later. Whenever the line goes off 
hook, the recorder starts. It’s that simple. 


KKKKKKKKKKKKKKKK 


READING THE DATA 
KKK KKK KK KK KKK KKK 


This is the tricky part. Different modems and different software respond 
differently but there are basics. The modem should be connected as usual to 
the telco line and computer. Now connect the speaker output of the tape 
player directly to the telephone line. Pick up the phone and dial the high 
side of a loop so your line doesn’t make a lot of noise and garble up your 
data. Now, command your modem into the answer mode and press play. The tape 
should be lined up at the beginning of the recorded phone call, naturally, so 
you can see the login. Only one side of the transmission between the host and 
terminal can be monitored at a time. Going to the originate mode you will see 
W 
c 
a 


hat the host transmitted. This will include the echoes of the terminal. Of 
ourse the password will be echoed as ####### for example, but going to the 
nswer mode will display exactly what the terminal typed. You’11 understand 
when you see it. A couple of problems you might run into will be hum and 
garbage characters on the screen. Try connecting the speaker output to the 
microphone of the hand set in your phone. Use a 1 to 1 coupling transformer 
between the tape player input and the TRC audio output. These problems are 
usually caused when using A.C. powered equipment. The common ground of this 
equipment interferes with the telco ground which is D.C. based. 


I was a little reluctant to write this file because I have been 
unsuccessful in reading any of the 1200 baud data I have recorded. I have 
spoke with engineers and techs. Even one of the engineers who designs modems. 
All of them agree that it IS possible, but can’t tell me why I am unable to do 
this. I believe that the problems is in my cheap ass modem. One tech told me 
I needed a modem with phase equalization circuitry which is found in most 
expensive 2400 baud modems. Well one of these days I’1l1 find $500 lying on 
the street and I’1l have nothing better to spend it on! Ha! Actually, I have 
a plan and that’s another file..... 


I should point out one way of reading 1200 baud data. This should work in 
theory, however, I have not attempted it. 


Any fully Hayes compatible modem has a command that shuts off the carrier 
and allows you to monitor the phone line. The command is ATS10. You would 

then typ ither answer or originate depending on who you wanted to monitor. 
I : 
c 


haracters then writes it to disk, thus allowing unattended operation. 


KKKKKKKKKKKKKK 


HOW CRAZY I AM 


KKKKKKKKKKKKKK 


PASSWORDS GALORE!!!! 


After numerous calls to several Bell offices, I found the one that handled 
Tymnet’s account. Here’s a rough transcript: 


Op: Pacific Bell priority customer order dept. How may I help you? 

Me: Good Morning, this is Mr. Miller with Tymnet Inc. We’re interested in 
adding some service to our x town location. 

Op: I’1ll be happy to help you Mr. Miller. 

Me: I need to know how many lines we have coming in on our rotary and if we 
have extra pairs on our trunk. We are considering adding ten additional 
lines on that rotary and maybe some FX servic 
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Op: Ok....What’s the number this is referenced to? 
Me: xxx-xxx-xXxxx (local node #) 
Op: Hold on a min....Ok bla, bla, bla. 


Well you get the idea. Anyway, after asking her a few more unimportant 
questions I asked her for the address. No problem, she didn’t even hesitat 
Of course this could have been avoided if the CN/A in my area would give out 
addresses, but they don’t, just listings. Dressed in my best telco outfit, 
Pac*Bell baseball cap, tool belt and test set, I was out the door. There it 
was, just an office building, even had a computer store in it. After 
exploring the building for awhile, I found it. A large steel door with a push 
button lock. Back to the phone. After finding the number wher the servic 
techs were I called it and talked to the tech manager. 


Mgr: Hello this is Joe Moron. 


Me: Hi this is Mr. Miller (I like that name) with Pacific Bell. I’m down 
here at your x town node and we’re having problems locating a gas leak 
in one of our Trunks. I believe our trunk terminates pressurization in 
your room. 

Mgr: I’m not sure... 

Me: Well could you have someone meet me down here or give me the entry code? 

Mgr: Sure the code is 1234. 

Me: Thanks, I’11l let you know if there’s any trouble. 


So, I ran home, got my VCR (stereo), and picked up another TRC from Trash 
Shack. I connected the VCR to the first two incoming lines on the rotary. 
One went to each channel (left,right). Since the volume of calls is almost 
consistent, it wasn’t necessary to stop the recorder between calls. I just 
let it run. I would come back the next day to change the tape. The VCR was 
placed under the floor in case a tech happened to come by for maintenance. 
These nodes are little computer rooms with air conditioners and raised floors. 
The modems and packet switching equipment are all rack mounted behind glass. 
Also, most of the nodes are unmanned. What did I get? Well a lot of the 
logins were 1200, so I never found out what they were. Still have ’em on tape 
though! Also a large portion of traffic on both Tymnet and Telenet is those 
little credit card verification machines calling up Visa or Amex. The 
transaction takes about 30 secs and there are 100’s on my tapes. The rest is 
as follows: 


BFasylink CompuServe Quantumlink 3Mmail 
PeopleLink Homebanking USPS Chrysler parts order 
Yamaha Ford Dow Jones 


And a few other misc. systems of little interest. I’m sure if I was 
persistent, I’d get something a little more interesting. I spent several 
months trying to figure out my 1200 baud problem. When I went back down there 
the code had been changed. Why? Well I didn’t want to find out. I was out 
of there! I had told a couple of people who I later found could not be 
trusted. Oh well. Better safe than sorry. 


KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK 


Well, if you need to reach me,try my VMS at 415-338-7000 box 8130. But no 


telling how long that will last. And of course there’s always P-80 systems at 
304-744-2253. Probably be there forever. Thanks Scan Man, whoever you are. 
Also read my file on telco local loop wiring. It will help you understand how 
to find the line you are looking for. It should be called Telcowiring.Txt 


<<< AGENT STEAL >>> 
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===== Phrack Magazine presents Phrack 16 ===== 


- The Disk Jockey - 
_ presents: 4 


- Reading Trans-—Union Reports: = 
7 A lesson in terms used = 
- (A 2af presentation) 7 


This fil is dedicated to all the phreaks/hacks that were busted in the summer 
of 1987, perhaps one of the most crippling summers ever for us. 


Preface: 

Trans-Union is a credit service much like CBI, TRW or Chilton, but offers 
more competitive rates, and is being used more and more by many credit 
checking agencies. 


Logging in: 


Call one of the Trans Union dial-ups at 300,E,7,1, Half Duplex. Such a 
dial-up is 314-XXX-XXxXxX. After connecting, hit Ctrl-S. The system will echo 
back a ’GO ’ and then awaits you to begin the procedure of entering the 
account and password, then mode, i.e.: S Fl111,111,H,T. The system will 
then tell you what database you are logged on to, which is mostly 
insignificant for your use. To then pull a report, you would type the 
following: P JONES, JIM* 2600, STREET, CHICAGO, IL, 60604** <Ctrl-S>. The name 
is Jim Jones, 2600 is his street address, street is th street name, Chicago 
is the city, IL is the state, 60604 is the zip. 


5 


The Report: 


The report will come out, and will look rather odd, with all types of 
notation. An example of a Visa card would be: 


SUB NAME/ACCT# SUB OPEND HICR DTRP/TERM BAL/MAX.DEL PAY.PAT MOP 
CITIBANK B453411 3/87 $1000 9/87A $0 12111 RO1 
4128XXXXXXXXX $1500 5/87 $120 


Ok, Citibank is the issuing bank. B453411 is their subscriber code. 3/87 is 
when the account was opened. HICR is the most that has been spent on that 
card. 9/87 is when the report was last updated (usually monthly if active). 
$1000 is the credit line. $0 is the current balance. 12111 is the payment 
pattern, where l=pays in 30 days and 2=pays in 60 days. RO1 means that it is a 
"Revolving" account, meaning that he can make payments rather than pay the 
entire bill at once. 4128-etc is his account number (card number). $1500 is 
his credit line. 5/87 is when he was late on a payment last. $120 is the 
amount that he was late with. 


Here is a list of terms that will help you identify and understand the reports 
better: 


ECOA Inquiry and Account Designators 


Individual account for sole use of applicant 

Joint spousal contractual liability 

Authorized user of shared account 

Participant in use of account that is neither C nor A 
Co-signer, not spouse 

Maker primarily liable for account, co-signer involved 
Relationship with account terminated 

Undesignated 

Non-Applicant spouse inquiry 


ZAGQHRENVPAH 
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Remarks and FCBA Dispute Codes 


AJP Adjustment pending 

BKL Bankruptcy loss 

CCA Consumer counseling account 
CLA Placed for collection 

1.0 Closed to further purchases 
TS Contact Subscriber 

IS Dispute following resolution 
RP Dispute resolution pending 
CL Foreclosure 

OV Moved, left no forwarding address 
D 

R 

F 


No dispute 

L Profit and loss write-off 

N Account refinanced 

LD Repossession, paid by dealer 

LP Repossession, proceeds applied towards debt 
PO Repossession 

RE Repossession, redeemed 

S Dispute resolved 

RVD Returned voluntarily, paid by dealer 

RVN Returned voluntarily 

RVP Returned voluntarily, proceeds go towards debt 
RVR Returned voluntarily, redeemed 

SET Settled for less than full balance 

STL Plate (card) stolen or lost 

TRF Transferred to another office 


Type of Account 


Open account (30 or 90 days) 

Revolving or option account (open-end) 
Installment (fixed number of payments) 
Mortgage 

Check credit (line of credit at a bank) 


QBHDO 


Usual Manner of Payment 


00 Too new to rate; approved, but not used or not rated 

Ol Pays (or paid) within 30 days of billing, pays accounts as agreed 
02 Pays in more than 30 days, but not more than 60 days 

03 Pays in more than 60 days, but not more than 90 days 

04 Pays in more than 90 days, but not more than 120 days 

05 Pays in 120 days or more 

O07 Makes payments under wag arner plan or similar arrangement 
08 Repossession 

8A Voluntary repossession 

8D Legal repossession 

8R Redeemed repossession 

09 Bad debt; placed for collection; suit; judgement; skip 

9B Placed for collection 

UR Unrated 

UC Unclassified 


Kinds of Business Classification 


Automotive 

Banks 

Clothing 

Department and variety 
Finance 

Groceries 

Home furnishings 
Insurance 

Jewelry and cameras 
Contractors 

Lumber, building materials 


RAQOHmQHvaw Pp 


E 


NK XSI CGCHNDWONNOBR AI 


T 
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Medical and related health 

National credit card 

Oil and national credit card 
Personal services other than medical 
Mail order houses 

Real estate and public accommodations 
Sporting goods 

Farm and garden supplies 

Utilities and fuel 

Government 

Wholesale 

Advertising 

Collection services 

Miscellaneous 


ype of Installment Loan 


A 


> 
tg 


F Appliance/Furniture 
Airplane 

Automobile 

Boat 

Camper 

Credit line 
Co-maker 
Consolidation 


H@OUAAAAAAa 


Equipment 

FHA contract loan 
Finance statement 
Home improvement 
Insurance 

eases 


M 


D 


anwnwveWaoap 


se Qw PY 
DHAHNTOOHKRAPHA 


Mobile home 

C Miscellaneous 

T Motor home 

I Property improvement plan 
L Personal loan 

EF Real estate 
T Student loan 


SV Savings bond, stock, etc. 


S Unsecured 


VA Veteran loan 


ate Codes 

Automated, most current information available 
Closed date 

Repossessed/Written off 

Further updates stopped 

Paid 

Reported data 

Date of last sale 

Verified date 


Employment Verification Indicator 


XxX QGHMnNDAHYD 


Declined verification 
Indirect 

No record 

Reported, but not verified 
Slow answering 

Terminated 

Verified 

No reply 


Hope this helps. Anyone that has used Trans-Union will 
this, as the result codes are sometimes hard to decipher. 


surely 


appreciate 
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#### PHRACK PRESENTS ISSUE 16 #### 
AxkAkAK“PH rack World News, Part 1*°*****%* 
**k** File 8 of 12 **** 


>From the 9/16 San Francisco Chronicle, page A119: 


GERMAN HACKERS BREAK INTO NASA NETWORK (excerpted) 


Bonn 

A group of West German computer hobbyists broke into an international 
computer network of the National Aeronautics and Space Administration and 
rummaged freely among the data for at least three months before they wer 
discovered, computer enthusiasts and network users said yesterday. 


An organization in Hamburg called the Chaos Computer Club, which 
claimed to be speaking for an anonymous group that broke into the network, 
said the illicit users managed to install a "Trojan horse," and gain entry 
into 135 computers on the European network. 


A "Trojan Horse" is a term for a permanent program that enables 
amateur computer enthusiasts [as opposed to professionals?], or "hackers," 
to use a password to bypass all the security procedures of a system and gain 
access to all the data in a target computer. 


[Actually, this type of program is a ’back door’ or a ’trap door.’ The group 
may very well have *used* a Trojan horse to enable them to create the back 
door, but it probably wasn’t a Trojan horse per se. A Trojan horse is a 
program that does something illicit and unknown to the user in addition to its 
expected task. See Phrack xx-x, "Unix Trojan Horses," for info on how to 
create a Trojan horse which in turn creates a trap door into someone’s 
account. ] 


The NASA network that was broken into is called the Space Physics 
Analysis Network [ooh!] and is chiefly designed to provide authorized 
scientists and organizations with access to NASA data. The security system in 
the network was supplied by an American company, the Digital Equipment Corp. 
[Probably DECNET. Serves them right.] Users said the network is widely used 
by scientists in the United States, Britain, West Germany, Japan and five 
other countries and does not carry classified information. 


A Chaos club spokesman, Wau Holland, denied that any data had been 
changed. This, he said, went against "hacker ethics." 


West German television reports said that computer piracy carries a 
penalty of three years in prison in West Germany. The government has not said 
what it plans to do. 


The Chaos club clearly views its break-in as a major coup. Holland, 
reached by telephone in Hamburg, said it was "the most successful running of a 
Trojan horse" to his knowledge, and the club sent a lengthy telex message to 
news organizations. 


It said the "Trojan horse" was spotted by a user in August, and the 
infiltrating group then decided to go public because "they feared that they 
had entered the dangerous field of industry espionage, economic crime, East-— 
West conflict...and the legitimate security interests of high-tech 
institutions." 


The weekly magazine Stern carried an interview with several anonymous 
hobbyists who showed how they gained access to the network. One described his 
xcitement when for the first time he saw on his screen, "Welcome to the NASA 

headquarters VAX installation." 


According to Chaos, the hobbyists discovered a gap in the Digital VAX 
systems 4.4 and 4.5 and used it to install their "Trojan Horse." 


= 


Excerpted and Typed by Shooting Shark. Comments by same. ] 
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#### PHRACK PRESENTS ISSUE 16 #### 
“xA“x<xk<Phrack World News, Part 2%***%*% 
**k*kk File 9 of 12 **** 


[Ed’s Note: CertainThings in the article have been blanked (XXXXX) at the 
request of the author] 


The Story of the Feds on XXXXXXX BBS 
By The Mad Phone Man 


Returninghome one afternoon with a friend, I knew something wasn’t 
right when I walked into the computer room. I see a "Newuser" on the board... 
and the language he’s using is... well "Intimidating"... 


"I want you all to know I’m with the OCC task force and we know who you are... 
we are going to have a little get-together and ’talk’ to you all." 


Hmmm... a loser?... I go into chat mode... "Hey dude, what’s up?" I ask. 
"Your number asshole" he says.... Well, fine way to log on to a board if I do 
say.... "Hey, you know I talked to you and I know who you are.." "Oh 
yeah...Who am I?." he hesitates and says... "Well uh.. you used to work for 


Sprint didn’t you?" 
I say, "No, you’ve got me confused with someone else I think, I’m a junior 
in high school." 
"Ohyeah?.. You got some pretty big words for a high school kid," he 


says.... 

"Well, in case you didn’t know, they teach English as a major these 
AaYy'Sic. S58," 

He says... "Do you really want to know which LD company I’m with?" 

I say "NO, but if it will make you happy, tell me." 

He says MCI. (Whew! I don’t use them)... "Well you’re outta luck 
asshole, I pay for my calls, and I don’t use MCI." He’s dumbfounded. 

I wish him the worst as he asks me to leave his rather threatening 


post up on my board and we hang up on him. 


Now, I’m half paralyzed... hmmm.... Check his info-form... he left a 
number in 303... Denver.... I grab the phone and call it.. It’s the Stromberg 
Telephone company... Bingo.. I’ve got him. 


I search my user files and come up with a user called "Cocheese" from 
there, and I voice validated him, and he said he worked for a small telco 
called Stromberg... I’m onto him now. 

Later in the week, I’m in a telco office in a nearby major city, I 
happen to see a book, marked "Confidential Employee Numbers for AT&T." I 
thumb thru and lo and behold, an R.F. Stromberg works at an office of AT&T in 
Denver, and I can’t cross reference him to an office. (A sure sign he’s in 
security). Well, not to be out-done by this loser... I dial up NCIC and check 
for a group search for a driver’s licence for him... Bingo. Licence number, 
cars he owns, his SS number, and a cross reference of the licence files finds 
his wife, two kids and a boat registered to him. 

I’ve never called him back, but If I do have any trouble with him, I’m 
gonna pay a little visit to Colorado.... 


10.txt Wed Apr 26 09:43:37 2017 1 


#### PHRACK PRESENTS ISSUE 16 #### 
“xA*x<~x<Phrack World News, Part 3%*%*%**%* 
*k**k* File 10 of 12 **** 


[Ed’s Note: Certain names have been change in the article to protect the 
author] 


The Flight of The Mad Phone-Man’s BBS to a Friendly Foreign Country 


Using my knowledge that the pigs grab your computer when they bust 
you,I got real worried about losing a BIG investment I’ve got in my IBM. I 


decide there’s a better way.... Move it! But where? Where’s safe from the 
PhBI? Well in the old days, to escape the draft, you went to Canada, why not 
expatriate my board.... Well the costs of a line are very high, let’s see 


what’s available elsewhere. 

One afternoon, I’m working at a local hospital, (one I do telecom work 
for) and I ask the comm mgr if they have any links to Canada? He says why 
yes, we have an inter-medical link over a 23ghz microwave into the city just 
across the border. I ask to s th quipment. WOW! My dreams come true, 
it’s a D4 bank (Rockwell) and it’s only got 4 channel cards in it. Now, being 
a "nice" guy, I offer to do maintenance on this equipment if he would let me 
put up another channel...he agrees. The plot thickens. 

I’ve got a satellite office for a business near the hospital on the 
other side, I quickly call up good ole Bell Canada, and have them run a 2 wire 
line from the equipment room to my office. Now the only thing to get is a 
couple of cards to plug into the MUX to put me on the air. 

A 2 wire E&M card goes for bout $319, and I’d need two. Ilook around 
the state, and find one bad one in Rochester.... I’m on my way that afternoon 
via motorcycle. The card is mine, andthe only thing I can find wrong is a 
bad voltage regulator. I stop by the Rockwell office in suburban Rochester 
and exchange the card, while I’m there, I buy a second one (Yeah, on my card) 
and drive home.... by 9pm that night the circuit is up, and we are on the air. 

Results- Very good line, no noise, can be converted with another card 
for a modest fee if I want the bandwidth. So that’s the story of how the 
board went to a "friendly foreign country." 


The Mad Phone-Man 
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Shadow Hawk Busted Again 


As many of you know, Shadow Hawk (a/k/a Shadow Hawk 1) had his home 
searched by agents of the FBI, Secret Service, and the Defense Criminal 
Investigative Services and had some of his property confiscated by them on 
September 4th. We’re not going to reprint the Washington Post article as it’s 
available through other sources. Instead, a summary: 


In early July, SH bought an AT&T 3Bl ("Unix PC") with a 67MB drive for 
a dirt-cheap $525. He got Sys V 3.5 for another $200 but was dissatisfied 
with much of the software they gave him (e.g. they gave him uucp version 1.1). 


When he was tagged by the feds, he had been downloading software (in 
the form of C sources) from various AT&T systems. According to reports, these 
included the Bell Labs installations at Naperville, Illinois and Murray Hill, 
New Jersey. Prosecutors said he also gained entry to (and downloaded software 
from) AT&T systems at a NATO installation in Burlington, North Carolina and 
Robins AFB in Georgia. AT&T claims he stole $1 million worth of software. 
Some of it was unreleased software taken from the Bell Labs systems that was 
given hypothetical price tags by Bell Labs spokespersons. Agents took his 
3Bl1l, two Atari STs he had in his room, and several diskettes. 


SH is 17 and apparently will be treated as a minor. At the time of 
this writing, he will either be subject to federal prosecution for ’computer 
theft’ or will be subject to prosecution only by the State of Illinois. 


SH’s lawyer, Karen Plant, was quoted as saying that SH "categorically 
denies doing anything that he should not have been doing" and that he "had 
absolutely no sinister motives in terms of stealing property." As we said, he 
was just collecting software for his new Unix PC. When I talked to Ms. Plant 
on September 25th, she told me that she had no idea if or when the U.S. 
Attorney would prosecute. Karen Plant can be reached at (312) 263-1355. Her 
address is 134 North LaSalle, #306, Chicago, Illinois. 


On July 9th SH wrote: 


So you see, I’m screwed. Oh yeah, even worse! In my infinite (wisdom 
|| stupidity, take your pick 8-)) I set up a local AT&T owned 7300 to call me 
up and send me their uucp files (my uucp works ok for receive) and guess what. 
I don’t think I’ve to elaborate further on THAT one... (holding my breath, so 
to type) 

(2>ShK2. 


12.txt Wed Apr 26 09:43:37 2017 1 


#### PHRACK PRESENTS ISSUE 16 #### 
AESESKAP HC aACk World. News; Part. 5°*°*°84 
**** File 12 of 12 **** 


"Phone Companies Across U.S. Want Coins Box Thief’s Number" 
From the Tribune - Thursday, Nov. 5, 1987 


SAN FRANCISCO Seven telephon companies across the country, including 
Pacific Bell, are so frazzled by a coin box thief that they are offering a 
reward of $25,000 to catch him. 


He’s very clever, telephone officials say, and is the only known suspect in 
the country that is able to pick the locks on coin boxes in telephone 
booths with relative ease. 


He is believed responsible for stealing hundreds of thousands of dollars from 
coin boxes in the Bay Area and Sacramento this year. 


The suspect has been identified by authorities as James Clark, 47, of 
Pennisula, Ohio, amachinist and tool-and-di maker, who is believed 
responsible for coin box thefts in 24 other states. 


Other companies sharing in the reward are Ohio Bell, Southern Bell, South 
Carolina Bell, South Central Bell, Southwestern Bell, Bell Telephone of 
Pennsylvania and U.S. West. 


Clark allegedly hit pay phones that are near freeways and other major 
thoroughfares. Clark, described as 5 feet 9 inches tall, with shoulder 
length brown hair and gold-rimmed glasses, is reported to be driving a new 
Chevrolet Astro van painted a dark metallic blue. 


He was recently in Arizona but is believed to be back in California. 


Written by a Tribune Staff Writer 


Typed by the Smuggler 


